sendnrw/rdpgw
2
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2026-03-31 16:06:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Check valid host from list

Browse Source
This commit is contained in:
Bolke de Bruin
2022-08-25 11:22:23 +02:00
parent 0901a117c9
commit 9d2dc57e90
3 changed files with 45 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cmd/rdpgw/main.go
View File

@@ -41,6 +41,8 @@ func main() {
security.UserEncryptionKey = []byte(conf.Security.UserTokenEncryptionKey) security.UserEncryptionKey = []byte(conf.Security.UserTokenEncryptionKey)
security.UserSigningKey = []byte(conf.Security.UserTokenSigningKey) security.UserSigningKey = []byte(conf.Security.UserTokenSigningKey)
security.QuerySigningKey = []byte(conf.Security.QueryTokenSigningKey) security.QuerySigningKey = []byte(conf.Security.QueryTokenSigningKey)
security.HostSelection = conf.Server.HostSelection
security.Hosts = conf.Server.Hosts
// configure api // configure api
api := &api.Config{ api := &api.Config{
@@ -136,7 +138,7 @@ func main() {
} }
// create the gateway // create the gateway
handlerConfig := protocol.ServerConf{ gwConfig := protocol.ServerConf{
IdleTimeout: conf.Caps.IdleTimeout, IdleTimeout: conf.Caps.IdleTimeout,
TokenAuth: conf.Caps.TokenAuth, TokenAuth: conf.Caps.TokenAuth,
SmartCardAuth: conf.Caps.SmartCardAuth, SmartCardAuth: conf.Caps.SmartCardAuth,
@@ -153,11 +155,13 @@ func main() {
ReceiveBuf: conf.Server.ReceiveBuf, ReceiveBuf: conf.Server.ReceiveBuf,
} }
if conf.Caps.TokenAuth { if conf.Caps.TokenAuth {
handlerConfig.VerifyTunnelAuthFunc = security.VerifyPAAToken gwConfig.VerifyTunnelAuthFunc = security.VerifyPAAToken
handlerConfig.VerifyServerFunc = security.VerifyServerFunc gwConfig.VerifyServerFunc = security.VerifyServerFunc
} else {
gwConfig.VerifyServerFunc = security.BasicVerifyServer
} }
gw := protocol.Gateway{ gw := protocol.Gateway{
ServerConf: &handlerConfig, ServerConf: &gwConfig,
} }
if conf.Server.Authentication == "local" { if conf.Server.Authentication == "local" {

1
cmd/rdpgw/protocol/server.go
View File

@@ -143,6 +143,7 @@ func (s *Server) Process(ctx context.Context) error {
server, port := s.channelRequest(pkt) server, port := s.channelRequest(pkt)
host := net.JoinHostPort(server, strconv.Itoa(int(port))) host := net.JoinHostPort(server, strconv.Itoa(int(port)))
if s.VerifyServerFunc != nil { if s.VerifyServerFunc != nil {
log.Printf("Verifying %s host connection", host)
if ok, _ := s.VerifyServerFunc(ctx, host); !ok { if ok, _ := s.VerifyServerFunc(ctx, host); !ok {
log.Printf("Not allowed to connect to %s by policy handler", host) log.Printf("Not allowed to connect to %s by policy handler", host)
msg := s.channelResponse(E_PROXY_RAP_ACCESSDENIED) msg := s.channelResponse(E_PROXY_RAP_ACCESSDENIED)

36
cmd/rdpgw/security/basic.go Normal file
View File

@@ -0,0 +1,36 @@
package security
import (
"context"
"errors"
"fmt"
"log"
)
var (
Hosts []string
HostSelection string
)
func BasicVerifyServer(ctx context.Context, host string) (bool, error) {
if HostSelection == "any" {
return true, nil
}
if HostSelection == "signed" {
// todo get from context
return false, errors.New("cannot verify host in 'signed' mode as token data is missing")
}
if HostSelection == "roundrobin" || HostSelection == "unsigned" {
log.Printf("Checking host")
for _, h := range Hosts {
if h == host {
return true, nil
}
}
return false, fmt.Errorf("invalid host %s", host)
}
return false, errors.New("unrecognized host selection criteria")
}